CVE-2014-2016

Name of the Vulnerable Software and Affected Versions OXID eShop Professional and Community Edition versions 4.6.8 and earlier, 4.7.x before 4.7.11, 4.8.x before 4.8.4 OXID eShop Enterprise Edition versions 4.6.8 and earlier, 5.0.x before 5.0.11, 5.1.x before 5.1.4

Description The issue allows remote attackers to inject arbitrary web script or HTML via the searchtag parameter to the getTag function in files such as details.php or tag.php. This can lead to cross-site scripting (XSS) attacks.

Recommendations For OXID eShop Professional and Community Edition versions 4.6.8 and earlier, update to version 4.7.11 or later, or 4.8.4 or later. For OXID eShop Professional and Community Edition versions 4.7.x before 4.7.11, update to version 4.7.11 or later. For OXID eShop Professional and Community Edition versions 4.8.x before 4.8.4, update to version 4.8.4 or later. For OXID eShop Enterprise Edition versions 4.6.8 and earlier, update to version 5.0.11 or later, or 5.1.4 or later. For OXID eShop Enterprise Edition versions 5.0.x before 5.0.11, update to version 5.0.11 or later. For OXID eShop Enterprise Edition versions 5.1.x before 5.1.4, update to version 5.1.4 or later. As a temporary workaround, consider restricting access to the getTag function in details.php and tag.php to minimize the risk of exploitation. Avoid using the searchtag parameter in the affected API endpoints until the issue is resolved.